A company has a VPC with public and private subnets. An Application Load Balancer (ALB) is deployed in the public subnets, and an Auto Scaling group of web servers is deployed in the private subnets. The web servers need to frequently make HTTPS requests to an external API. The API provider requires that all requests originate from a consistent set of static IP addresses for whitelisting. The SysOps administrator must ensure that outbound traffic from the web servers has static source IP addresses. Which solution should be implemented?
The NAT gateway provides a static Elastic IP for outbound traffic from private instances, fulfilling the requirement securely.
Why this answer
Option B is correct because a NAT gateway placed in a public subnet with an Elastic IP provides a consistent, static source IP for all outbound traffic from instances in private subnets. The web servers route their outbound HTTPS requests through the NAT gateway, which performs source NAT (SNAT) using the Elastic IP, satisfying the API provider's whitelisting requirement. This design keeps the web servers in private subnets for security while ensuring a fixed public IP for outbound traffic.
Exam trap
The trap here is that candidates confuse AWS Global Accelerator's static IPs for inbound traffic with the need for static outbound IPs, or mistakenly think VPC endpoints can be used for any external service, when they only work with supported AWS services.
How to eliminate wrong answers
Option A is wrong because placing web servers in public subnets with Elastic IPs would expose them directly to the internet, bypassing the ALB and compromising security; it also requires managing individual Elastic IPs per instance, which is not scalable for an Auto Scaling group. Option C is wrong because a VPC endpoint is used for private connectivity to AWS services (e.g., S3, DynamoDB) via the AWS network, not for reaching external HTTPS APIs over the internet; it does not provide static IP addresses for outbound traffic to third-party endpoints. Option D is wrong because AWS Global Accelerator provides two static Anycast IP addresses for inbound traffic to your application endpoints (e.g., ALB, NLB), not for outbound traffic from instances; it does not affect the source IP of outbound requests from web servers.